COMMUNICATION SCHEME USING OUTSIDE DTCP BRIDGE FOR 
REALIZING COPYRIGHT PROTECTION 

5 BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

The present invention relates to a communi cat ion 
relay device, a communication system, and a 
10 communication control program for relaying transmission 
and reception of information between an inside network 
and an outside network. 

DESCRIPTION OF THE RELATED ART 
15 The products called digital information home 

electronics are becoming popular. These products are 
expected to become even more popular In conjunction 
with the start of the digital broadcast in&, and include 
all kinds of products for handling digital data and 
20 digital contents such as digital broadcasting: 

compatible TV, set-top box, digital VTR , DVD player, 
hard disk recorder, etc. 

The quality of the digital data and digital 
contents will not be degraded even when ihey are 
25 copied, and the copies can be made easily, so that 

there Is a need to provide a measure for the copyright 
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protection in advance. For example, in the IEEE 1394 
which is a digital network for connecting digj ta] AV 
devices, the authentication and key exchange mechanism 
and the data encryption function are provided, 
5 Here, consider a case of transferring the AV data 

that requires the copyright protection, from some 
transmission device. What needs 10 be taken into 
consideration here is that the copyright protection 
presupposes to allow the exchange of the AV data within 
10 a range of personal (or family) entertainment, but i_o 
prevent the exchange of the AV data with a third person 
(unless the permission from the copyright holder is 
given) . 

A known mechanism for realizing the copyright 
15 protection on a network includes DTCP (Digital 

Transmission Content Protection), which is a copyright 
protection scheme that has become de facto standard in 
IEEE 1394 and USB. 

The DTCP is provided with a mechanism for carrying 
20 out the authentication and key exchange between a 
transmission device and a reception device and 
transferring the AV data by encrypting them, with 
respect to contents such as the AD data that require 
the copyright protection (see documents disclosed at 
25 "http://www.dtla.com", for example). By using this 

DTCP, it becomes possible to transmit the AV data in a 
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stare that guarantees the copyright protection, on an 
Inside network (IEEE 1394 network, for example). 

On the other hand, in conjunction with ihe spread 
of the internet, it has become customary to exchange 
5 the digital data on a public network. Under such a 

circumstance, there can be cases where a user requests 
an access to the data maintained at the user's home in 
a mobile environment, as in a case o± access from the 
user's villa. If such a request is to be rejected for 

10 tne reason of the copyright protection, the user's 
convenience would be severely damaged. 

However, the current DTCP has its application 
target limited to home networks such as IEEE 1394. In 
order to make It possible for a user to make an access 

15 to the contents maintained at the user's home in the 
mobile environment, there is a need to expand the 
current DTCP such as It can be used outside as well, 
and to expand the mechanism realized by the inside DTCP 
10 the outside, but there has been no proposition for 

20 such a new mechanism conventionally. 

BRIEF SUMMARY OF THE INVENTION 

25 It Is therefore an object or the present invention 

to provide a communication relay device, a 
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communication system and a communication control 
program in which information that has been 
transmitted/received between inside networks can DC 
transmitted/received even between outside networks 
5 while maintaining the copyright protection. 

According to one aspect of the present invention 
there is provided a communication relay device 
connected to a home network, for relaying information 
between an outside communication device connected to an 

10 outside network and a home communication device 

connected to the home network, comprising: a first 
copyright protection unit configured to carry out a 
first authentication and key exchange processing for 
purpose of copyright protection between the 

15 communication relay device and the home communication 
device on the home network ; a second copyright 
protection unit configured to carry out a second 
authentication and key exchange processing for purpose 
of copyright protection between the communication relay 

20 device and the outside communication device on the 

outside network, based on a scheme different from the 
first authentication and key exchange processing; an 
identification information memory unit which stores an 
identification Information of the outside communication 

25 device; and a bridge processing unit configured to 

receive an access request for the home network from the 
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outside communication device, and carry out 
transmission/reception of information between the home 
network and the outside network only when the outside 
communication device which made the access request is 
5 stored in the identification information memory unit 
and then only when both the first authentication and 
key exchange processing by the first copyright 
protection unit and the second authentication and key 
exchange processing by the second copyrighr protection 

10 unit succeed. 

According to another aspect of the present 
invention there is provided a communication system, 
comprising: a home communication device on a home 
network; an outside communication device on an outside 

3 5 network; and a communication relay device for relaying 
information between the home network and the outside 
network, the communication relay device having: a first 
copyright protection unit configured to carry out a 
first authentication and key exchange processing for 

20 purpose of copyright protection between the 

communication relay device and the home communication 
device on the home network; a second copyright 
protection unit configured to carry out a second 
authentication and key exchange processing for purpose 

25 of copyright protection between the communication relay 
device and the outside communication device on the 
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outside network, based on a scheme different from tne 
first authentication and key exchange processing: an 
identification information memory unit which stores an 
identification information of the outside communication 
5 device; and a bridge processing unit configured to 

receive an access request for the home network from tne 
outside communication device, and carry out 
transmission/reception of information between tne home 
network and the outside network only when the outside 

10 communication device which made the access request is 
stored in the identification Information memory unit 
and then only when both the first authentication and 
key exchange processing Dy the first copyright 
protection unit and the second authentication and key 

15 exchange processing by the second copyright protection 
unit succeed. 

According to another aspect of the present 
invention there is provided a computer program product 
for causing a computer to function as a communication 

20 relay device connected to a home network, for relaying 
information between an outside communication device 
connected to an outside network and a home 
communication device connected to the home network, tne 
computer program product comprising: a first computer 

25 program code for causing the computer to carry out a 
first authentication and key exchange processing for 



-6- 



purpose of copyright protection between the 
communication relay device and the home communication 
device on the home network; a second computer program 
code for causing the computer to carry out a second 
5 authentication and key exchange processing for purpose 
of copyright protection between the communication relay 
device and tne outside communication device on the 
outside network, based on a scheme different from the 
first authentication and key exchange processing; a 

10 third computer program code for causing the computer lo 
store an identification information of the outside 
communication device; and a fourth computer program 
code for causing the computer to receive an access 
request for the home network from the outside 

15 communication device, and carry out 

transmission/reception of Information between the home 
network and the outside network only when the outside 
communication device which made the access request is 
stored in the identification information memory unit 

20 and then only when both the first authentication and 
key exchange processing by the first computer program 
code and the second authentication and key exchange 
processing by the second computer program code succeed. 
Other features and advantages of the present 

25 invention will become apparent from the following 

description taken in conjunction with the accompanying 
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drawings . 

BRIEF DESCRIPTION OF THE DRAWINGS 

5 

Fig. I is a block diagram showing an overall 
conf iguration of a communication system according to 
the first embodiment of the present invention- 
fig. 2 is a block diagram showing an Internal 
10 configuration of an outside DTCP bridge in the 
communication system of Fig. 1. 

Fig- 3 Is a diagram showing an exemplary data 
structure of an outside device registration table In 
the outside DTCP bridge of Fig, 2. 
15 Fig. 4 is a block diagram showing an exempLary 

internal configuration of a transmission device inside 
a user's home in the communication system of Fig. ~l . 

Fig. 5 is a block diagram showing an exemplary 
internal configuration of a reception device outside a 
20 user's home in the communication system of Fig. 1. 

Figs, 6A. 6B and 6C are flow charts showing 
procedures for registration into an outside device 
registration table in the outside DTCP bridge of Fig. 
2. 

25 Fig. 7 is a sequence chart showing an exemplary 

processing procedure for carrying out communications 
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between a user's home and a reception device outside a 
user's nome in the communication system of Fig. 1. 

Fig. 8 ts a block diagram showing' an overall 
configuration of a communication system according to 
5 the second embodiment of the present invention. 

Fig. 9 is a block diagram showing an internal 
configuration of an outside DTCP bridge in the 
communication system of Fig. 8. 

Fig. 10 is a sequence chart for a processing 
10 between an outside DTCP bridge and a home router in the 
communication system of Fig. 8. 



DETAILED DESCRIPTION OF THE INVENTION 

15 

Referring now to Fig. 1 to Fig. 7, the first 
embodiment of the communication scheme according to the 
present Invention will be described In detail. 

Fig. 1 shows an overall configuration of a 

20 communication system according to the first embodiment 
of the present invention. The communication system of 
Fig. l has a transmission device 2. a home network 3 
and an outside DTCP bridge 4 which are provided inside 
a user's home 1, and a reception device 6 at outside 

25 which is connected to the user's home 1 through the 
Internet 5. 
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Here, a specific form of the home network 3 is not 
essential, and any of 802.11 radio LAN, Ethernet, and 
IEEE 1394 can be used, for example. The home network 3 
may have other devices connected thereto besides those 
5 shown in Fig. 1. Also, in the case of using tne 

Internet protocol on the home network 3, a specific- 
type of the protocol is not essential, and any of IPv4 
and lPvO can be used, for example. 

The outside DTCP bridge 4 is a feature of this 

10 embodiment, which mediates transmission/reception of 
the AV data that require the copyright protection, 
between the transmission device 2 inside the user's 
home l and the reception device 6 at outside. The 
outside DTCP bridge 4 is connected with the home 

15 network 3 and the Internet 5. 

Fig. 2 shows an internal configuration of the 
outside DTCP bridge 4. The outside DTCP bridge 4 has an 
inside network interface 11, DTCP related packet 
filters 12 and 13, a DTCP processing unit 14, a home 

20 router and firewall processing unit 15. and an outside 
network interface 16. Besides these, the outside DTCP 
bridge 4 may have a built-in modem (ADSL modem or 
photo-electric conversion device for FTTH). 

The inside network interface 11 is a module that 

25 functions as an interface with the home network 3 such 
as radio LAN, Ethernet. TREE 1394. etc. The DTCP 



-10- 



related packer filter 12 located between the inside 
network interface 11 and the DTCP processing unit 14 
has a function for selectively distributing the control 
packets of the DTCP which is the copyright protection 
5 processing (packets for the authent icat iun and key 
exchange of the DTCP, for example) and packets 
containing the AV data that require the copyright 
protection among the packets entered from the inside 
network interface 11 F to the DTCP processing unit 14. 

10 Also, the DTCP related packet filter 112 multiplexes 
the packets from the DTCP processing unit 14 and the 
packets unrelated to the DTCP that are outputted from 
the other DTCP related packet filter 13, and output 
them to the inside network interface 11. 

15 The outside network interface 16 is a module that 

functions as an interface with the Internet 5 (puollc 
network) . The home router and firewall processing unit 
3 5 is a module that has functions of home router. NAT 
(Network Address Translation), firewall, etc. The DTCP 

20 related packet filter located between the home router 

and firewall processing unit 15 and the DTCP processing 
unit 14 carries out the operation similar to The DTCP 
related packet filter 12. 

The DTCP processing unit 14 has an automatic 

25 configuration recognition and home electronics control 
Web server processing unit 22, an inside DTCP AKE 
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processing unit 23, an outside DTCP AKE processing anlt 
24, an outside device registration table 25, and a user 
authentication registration table 26. 

The DTCP processing unit 14 carries out the 
5 processing related to tne DTCP copyright protection, 
and this processing mainly includes: CD the DTCP 
authentication and key exchange processing between the 
transmission device 2 and the reception device 6 (or 
the other DTCP bridge) through the inside network 

10 interface 11 and the outside network interface 16, (2) 
the encryption/ decryption processing for the AV data 
that require the copyright protection, (3) the DTCP 
bridge processing, and (4) the AV data coding 
conversion processing, the protocol conversion 

15 processing, the bandwidth conversion processing, etc., 
which are carried out according to the need. 

The inside DTCP AKE processing unit 23 carries out 
the DTCP authentication and key exchange (AKE) 
processing on inside home side. The DTCP authentication 

20 and key exchange is carried out by using packets 
indicated by specific port numbers (port numbers 
al Located to the DTCP AKE) on the IP packets, frames 
dedicated for the DTCP on the radio LAN or Ethernet, or 
security commands for AV/C packets of the IEEE 1394. 

25 for example. The authentication and key exchange that 
is carried out Inside the home has a range of its 
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validity limited to inside the home, so that it may be 
provided with measures such as setting a value of the 
TTL (Time To Live) equal to l. 2 or 3, using: a link 
local address as the IP address, using Ethernet frames 
5 instead of IP packets in the packet transmission, or 
limiting the tlroe-out period untjl the packets reach, 
for example . 

The outside DTCP AKE processing unit 24 carries 
out the DTCP authentication and key exchange (AKE) 

10 processing on outside home side. The outside DTCP 

authentication and key exchange is carried out by using 
packets indicated by specific port numbers on the IP 
packets or by HTTP with an indication of the DTCP 
packet using specific label (X-DTCP, for example) of 

15 the HTML. When the HTTP is used, there is an advantage 
In that the communications can be continued even when 
the proxy server or the network address translation 
(NAT) device exists in a middle of a route used for the 
authentication and key exchange. In the outside DTCP 

20 authentication and key exchange, there is no need to 
set a limit to the value of the TTL, for example, and 
the communications may De established by using a global 
IP address, because how far away the location of tiie 
correspondent device (the reception device 6 in this 

25 embodiment) is from tiie DTCP bridge is unknown. 

In the DTCP, a mechanism called sink limitation is 
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defined. Namely, It is a mechanism for limiting a 
number of devices that can carry out communications 
simultaneously (or a number of devices that can 
exchange the identical AV stream simultaneously) to be 
5 less than or equal to a certain number. If the sink 
limitation mechanism is not introduced, a practically 
unlimited number of devices can be connected on an 
identical network, ana a huge number of copies of the 
AV data can be made for the uonnocted devices from a 

10 single AV stream such that a large amount of the copied 
contents are generated. The sink limitation is 
introduced in order to prevent such a problem. 

The outside DTCP bridge 4 of this embodiment nas 
four features (1) to (4) described below, by 

15 reinforcing the sink limitation mechanism. Note that it 
is also possible to realize only a part of these 
features (l) to (4). 

(1) A device from which access can be made from 
outside the home (the reception device 6, for example) 

20 is registered in advance into the outside device 

registration table 25. and the communication (a request 
for the authentication and key exchange) from any 
device other than those registered in this registration 
table will be rejected. 

25 (2) The number of devices that can be registered 

into the outside device registration table 25 is 
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limited ro be less than or equal to a certain number 
(16 devices, for example) (in other words, there 1s an 
upper limit for a size of the table). 

(3) The device that 1s registered once wiii remain 
5 registered In the outside device registrat Ion tabic 25 

permanently (the registration is not lost even when the 
power is turned off or the power supply is reduced) . 

(4) The registration into the outside device 
registration table 25 can be made only inside the home. 

10 Fig- 3 shows an exemplary data configuration of 

the outside device registration table 25. As shown in 
Fig. 3, the outside device registration table 25 is 
divided into required items and the optional items, 
where the required items include at least one of a 

15 device ID that is described in a device certificate for 
the copyright protection that has to be allocated to 
each device (the reception device 6 in this 
embodiment), and a MAC address which is an ID unique to 
that device (which is expressed by a combination of 

20 address type and ID In general, as in the case of IEEE 
802 address. Tor example). The optional items include 
an access start time, a registration time indicating a 
time at which the registration into the outside device 
registration table 25 was made, and an access state, 

25 Note that the required items are indispensable, but ihe 
optional items can be set up according lo the need. 
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Only the DTCP devices that are registered into the 
outside device registration table 25 in advance can 
participate in the DTCP bridge communications with the 
user's nome 1 through tne outside DTCP bridge 4. in 
5 other words, any device other than those registered in 
advance cannot carry out the DTCP bridge 
communications . 

Also, the nufflDer of the devices that can carry out 
communications is limited to a certain number because 

10 of the feature (2) described above, it becomes 

impossible to rewrite tne content of the outside device 
registration table 25 at each occasion of the 
communication so as to obtain a permission for the 
communication to different device in each occasion such 

15 that data can be transmitted to practically unlimited 
number of devices (at different transmission timings). 
Consequently, it is possible to prevent the illegal 
copy by the user, and it is also possible to prevent 
accesses by the unspecified many devices to the outside 

Z0 DTCP bridge 4. In other words, according to tnis 

embodiment, the number of reception devices that can 
make access from the outside can be surely limited to 
the number described in the feature (2). 

The outside device registration table 25 should 

25 preferably be configured such that that the alteration 
by the user is impossible. This is because if the 
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alteration by The user is possible, lr would become 
possible to carry out communications with a practically 
unlimited number of devices by registering the device 
to carry out the communication with at each occasion of 
5 the communication. 

The user authentication registration table 
registers a user ID and a password of the reception 
device 6 that can make access to the outside OTCP 
bridge 4- The outside DTCP AKE processing unit 24 

10 carries out the user authentication for checking 

whether the user ID and the password of the reception 
device 6 that made a DTCP authentication and key 
exchange request are registered in the user 
authentication registration table 26 or not when the 

15 DTCP authentication and key exchange request is made 
from the outside the home side, and carries out the 
DTCP authentication and key exchange processing only 
when the user authentication succeeds. 

In this way, it becomes possible to reject the 

20 access requests from the DTCP devices of the others 

whose user IDs and passwords are not registered even if 
they are in compliance with the DTCP. 

Botb the outside device registration table 25 and 
the user authentication registration table 26 are 

25 configured such that they cannot be altered by the 
access from the outside, and the outside device 
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registration table 25 Is configured such that It cannot 
be altered even by the user access from Inside the 
home . 

The DTCP bridge processing unit 21 logically 
5 connects the inside network ana the outside network, 
and carries out the bridge processing including the 
reception of the encrypted AV data from the 
transmission device 2 and decryption of the encrypted 
AV data (the decryption using a key obtained by the 

10 inside DTCP AKE processing unit 23) , the re-encryption 
(the encryption using a key agreed upon by the outside 
DTCP AKE processing unit 24) , and the transmission ot 
the encrypted AV data to the reception device 6. 

The automatic configuration recognition and home 

15 electronics control Web server processing unit 22 has a 
function for automatically recognizing; the 
configuration of devices existing in the home network 
or devices capable of controlling and monitoring from 
the outside DTCP bridge 4 and automatically producing a 

20 Web page for controlling, monitoring and managing these 
devices, and a function for publicly disclosing the 
produced Web page to outside the home by using an 
internal Web server. It is also possible to disclose 
the produced Web page to Inside the home as well. 

25 Fig. 4 shows an exemplary internal configuration 

of the transmission device 2 Inside the user's home 1. 
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As shown In Fig. 4, the transmission device 2 has a 
network interface unit 31, a communication processing: 
unit 32 for carrying out the communication processing, 
a DTCP device ID recording unit 33 for recording the 
5 DTCP device ID of this transmission device 2, an ID 
processing unit 34 for processing the DTCP device ID 
and the MAC address transmitted from the outside DTCP 
bridge 4. an ID management unit 35 for registering the 
DTCP device ID and the MAC address Into an ID 1 1st ttnd 

10 carrying out the processing for comparing the IDs 

received from the outside DTCP bridge 4 with the values 
recorded in the ID list, an authentication and key 
exchange processing unit 36 for carrying out tne DTCP 
authentication and key exchange processing for the 

15 purpose of the copyright protection, an encryption 
processing unit 37 for carrying out 

encryption/decryption of the data to be transmitted, a 

packet processing unit 38 for converting the AV 

contents data and the DTCP management data to be 
20 transmitted to the outside DTCP bridge 4 into 

communication packers, and a contents providing unit 39 

for storing the contents. 

Here, the DTCP device ID is an identification 

number of the DTCP device. It is preferably a value 
25 allocated to the DTCP device in advance such that each 

DTCP device has a unique vaiue over the enrire world. 
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Fig. 5 shows an exemplary Internal configuration 
of the reception device 6 outside the home. As shown in 
Fig. 5, the reception device 6 has a network Interlace 
unit 41 for carrying out the network processing , a 
5 communication processing unit 42 for carrying out the 
communication processing, a device ID recording unit 43 
for recording the DTCP device ID of the reception 
device fc , a device unique ID acquisition unit 44 for 
acquiring a device unique value (MAC address) , a device 

10 ID transmission unit 45 for transmitting the acquired 
device ID. an authentication and key exchange 
processing unit 46 for carrying out the DTCP 
authentication ana key exchange processing for the 
purpose of the copyright protection, an encryption 

15 processing unit 47 for carrying out 

encryption/decryption of the received data, a packet 
processing unit 48 for converting the received packets 
into the AV contents data and the DTCP management data, 
a contents processing unit 49 for carrying out the 

20 processing to output or store the packets to a display 
device or the like, and an Inside/outside access 
specifying unit 50 for specifying whether this 
reception device 6 is to be used inside the home or 
outside the home. 

25 The inside/outside access specifying unit 50 has a 

function for specifying the case in which the reception 
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device 6 is to be used Inside the user's home (a state 
in which the communication with the transmission device 
2 is possible without passing through the outside DTCP 
bridge 4) and the case in which the reception device 6 
5 is to be used outside the user's home (a state in which 
the communication with the transmission device 2 is 
possible only through the outside DTCP bridge 4). 

In the case of using the reception device 6 inside 
the home, the encryption processing unit 47 and the 

10 authentication and key exchange processing unit 46 

carry out communications by using the DTCP protocul for 
the home use (which permits only TTL =1. 2 or 3, lor 
example). Also, in the case of using the reception 
device 6 outside the home, the encryption processing 

15 unit 47 and the authentication and key exchange 

processing unit 46 carry out communications Dy using 
the DTCP protocol for the outside use (which carries 
out the user authentication in advance or permits 
multiple TTL, for example) . 

20 The inside/outside switching specification by the 

inside/outside access specifying unit 50 may be made 
manually by the user, or automatically as the reception 
device 6 itself Judges the location and the arrangement 
state of the reception device 6 by using OPS, etc. 

25 The value unique to the device acquired by the 

device unique ID acquisition unit 44 indicates the MAC 
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address of rhe network interface physically recorded in 
that device which is allocated as a value unique to 
each device and managed by a network device 
manufacturing vendor, for example, it can be the 
5 Ethernet MAC address, a node_vendor_id or ehip_id 
defined in the IEEE 1394. or a combination or these, 
for example. 

Now, the processing procedure in the case of 
transmi tr ing the AV contents from the transmission 

lu device 2 inside the user's home l to the reception 
device 6 outside the user's home 1 through the home 
network 3, the outside DTCP bridge 4 and the Internet 5 
(public network) will be described in further detail. 
In this embodiment, the reception device 6 is 

15 registered into the outside DTCP bridge 4 first. More 

specifically, the reception device 6 is registered into 
the outside device registration table 25 in the outside 
DTCP bridge 4. There are three procedures for the 
registration into the outside device registration table 

20 25, as shown in Figs. 6A, 6B and 6C , 

The first registration procedure is a method for 
registering the reception device 6 by the manual input 
into the outside device registration table 25 of The 
outside DTCP bridge 4 in advance. More specifically, 

25 the registration can be made through some user 

interface (liquid crystal screen and buttons, eu-.j 

-22- 



that are provided in the outside DTCP bridge 4, or by 
using a user interface of PC or TV (and remote 
controlier) via the home network 3, for example. 

In the case of the first registration procedure, 
5 the user first enters the device ID and the unique ID 
(a value of the MAC address in this embodiment) of rue 
device by which the user wishes to make an access from 
the outside (the reception device 6 In this embodiment) 
in some way {step SI), 

10 Next, according to the need, the outside DTCP 

bridge 4 is set to a mode in which the registration 
into the outside device registration cable 25 is 
possible (step S2) . Then, the device ID and the unique 
ID (MAC address) entered at the step SI are registered 

15 into the outside device registration table 25 (step 

S3). At a time of the registration, the values may be 
entered manually by using a keyboard or the like, or 
the values may be set automatically. 

Once the values are registered into the outside 

20 device registration table z5. the registered content 
will be recorded permanently (step S4) , and it is 
preferably made such that the user cannot change the 
registered content later on. This is because If the 
multiple registration by the repetition of the deletion 

25 and the re-registration is allowed, it would become 

possible to transmit Information to tlie outside device 



for a practically unlimited number of times by 
repeating the registration. 

Also, at the same time, it is possible to carry 
out the registration of information related to the user 
5 authentication such as the user ID and the password or 
the like into the user authentication registration 
table 26 (step S5) . 

The second registration procedure is a method in 
which the reception device 6 is connected to the home 

10 network 3 (step Sll), the outside DTCP bridge 4 is 
changed to a registration mode (step S12) , the DTCP 
authentication and key exchange is carried out between 
the outside DTCP bridge 4 and the reception device 6 
(step SI'S) , and the outside DTCP bridge 4 stores its 

15 result (the DTCP device ID and the unique ID of the 

reception device 6) into the output device registration 
table 25 (step S14) . Note that in the case where the 
reception device 6 has more than two DTCP device TDs, 
the DTCP device ID to be used for the outside 

20 communication will be stored into the outside device 
registration table 25 . 

Note that, in this case, in order to keep the 
value of the unique ID (MAC address) Identical, the 
Interface of the home network 3 and the interface for 

25 the outside Internet 5 (public network) should 

preferably be the same (radio LAN Interface, for 
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example ) . 

Even In this case, it is preferably made such that 
the user cannot change the registered content later on. 
once the registration into the outside device 
5 registration tahle 25 is made. It is also possible to 
register the user authentication information such as 
the user ID and the password into the user 
authentication registration table 26 according to the 
need . 

10 The third registration procedure is a method for 

making an ad hoc registration from the outside, rather 
than making the registration into the outside device 
registration table 25 of the outside DTCP bridge 4 from 
the inside the home in advance. 

15 The outside DTCP bridge 4 is always set in a state 

capable of accepting an access of a new device from the 
outside, for example, and when the registration request 
or the DTCP authentication and key exchange request 
comes, the values of the device ID and the unique TD 

20 (MAC address in this embodiment) of that device are 

newly registered into the outside device registration 
table 25 (step S21). This registration is made 
permanently as in the above, and there is an upper 
limit to the number of devices that can be registered, 

25 so that it is Impossible to regj stcr an unlimited 
arbitrary number of outside devices. 
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After that, the outside DTCP bridge 4 accepts an 
access request of the outside reception device 6 (step 
S22). Wnen the outside reception device 6 makes the 
access request to the outside DTCP bridge 4. the user 
5 authentication is requested to this reception device 6 
(step S23) . and only the reception device 6 tnat has 
correctly responded to this request is registered into 
the outside device registration tabic 25 (step S24) . 

Fig. 7 shows an exemplary processing procedure in 

lO the case of carrying out communications with the user's 
name 1 by actually using the reception device 8 outside 
the home, after the reception device 6 is registered in 
the outside device registration table 25 by any one of 
the first to tiiird registration procedures shown in 

15 Figs, 6A, 6B and 6C. 

First, the outside DTCP bridge 4 recognizes the 
transmission device 2 that is connected to the home 
network 3 (or that has its power turned on) , by using 
the automatic configuration recognition procedure (step 

20 S31) - Next, The outside DTCP bridge 4 produces a Web 
page capable of controlling the transmission device 2 
(step S32). This Web page contains a playback button, a 
contents selection button , etc. 

Next, the outside DTCP bridge 4 publicly discloses 

25 the produced Web page to outside the home (step S33J . 
Note tnat it is preferable to make this Web pa&e 



accessible only by the outside device (such as the 
reception device 6) that has passed some kind of user 
authentication such as the above described user 
authentication . 
5 Now, suppose that the reception device 6 that is 

located outside the home is wishing to download the AV 
contents in the transmission device 2 inside the user's 
home ] (step S34). The user connects the reception 
device 6 to the Internet 5 , and makes an access to the 

10 outside DTCP bridge 4 of the user's home 1 that is 

stored in advance in the reception device 6. Of course, 
it Is also possible to specify the domain name or the 
IP address of the outside DTCP bridge 4 by the user's 
manual input. In this case, it is also possible to 

15 apply DDNS (Dynamic Domain Name Service) to the outside 
DTCP bridge 4. 

The procedure by which the reception device 6 
makes an access to the outside DTCP bridge 4 Is as 
follows. First, the user authentication is carried out 

20 between the reception device 6 and the outside DTCP 
bridge 4 (step S35K When the user authentication 
passes, the outside DTCP bridge 4 transits a control 
screen of the transmission device 2 to the reception 
device 6 through the automatic configuration 

25 recognition and home electronics control Web server 
processing unit 22 (step S36). Upon receiving this 
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control screen, the reception device 6 selects an 
appropriate AV contents that can be provided by the 
transmission device 2 on the control screen, and 
transmits a request for transmttt tng the selected 
5 specific contents to the outside DTCP bridge 4 (step 
S37) . 

The outside DTCP bridge 4 carries out the 
communications with the transmission device 2 according 
to the need, and when it is recognized that the 

10 copyright protection is put on the transmission of the 
AV contents selected by the user (reception device 6) 
so tnat the DTCP authentication and key exchange is 
necessary before the transmission, the outside DTCP 
bridge 4 notifies that the DTCP authentication and key 

15 exchange (for outside the home) is necessary to the 

reception device 6 (step S38). It is also possible to 
specify that the content is DTCP-enabied in the content 
directory. 

Upon receiving this notification, the outside DTCP 
Z0 authentication and key exchange processing is carried 

out between the outside DTCP bridge 4 and ihe reception 
device 6 (step S39). At this point, the device ID and 
the unique ID (MAC address or the like) of the 
reception device a may be registered in the device 
25 certificate of the reception device 6. 

The outside DTCP bridge 4 checks whether (device 
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ID and unique ID = MAC address of) the reception device 
6 Is registered in the outside device registration 
table 25 or not (step S40 ) . and If it is registered, 
the outside DTCP bridge 4 connects the "authentication 
5 and key exchange between the transmission device 2 and 
the outside DTCP bridge 4 and the encryption, 
transmission and decryption processing of the AV 
contents" with the "authentication and key exchange 
between the outside DTCP bridge 4 and the reception 
10 device 6 and the encryption, transmission and 

decryption processing of the AV contents" (steps S41 to 
S43) . 

Namely, the encrypted contents transferred between 
the transmission device 2 and the outside DTCP bridge 4 

15 are decrypted by using a key obtained by the 
authentication and key exchange between the 
transmission device 2 and the outside DTCP bridge 4 
(step S41 ) f the decrypted contents are encrypted by 
using a key obtained by the authentication and key 

20 exchange between the outside DTCP bridge 4 and the 

reception device 6 (step S42), and the setting of the 
DTCP bridge processing unit 21 Is made such that the 
re-encrypted contents are transmitted to the reception 
device 6 (step S43). 

25 When the request for transmitting the contents 

that require the copyright protection is made from the 
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reception device 6 (step S44) , the outside DTCP oridge 
4 transmits the transmission request for that contents 
to the transmission device 2 (step S45). 

The encrypted AV data transmitted from the 
5 transmission device 2 (step S46) arc applied with the 
transcript processing (the decryption and re-encryption 
of the encrypted AV data) internally (step S47) . and 
transmitted to the reception device 6 (step S48). 
At that point, if there is a gap between the 

10 bandwidth of the home network 3 and the bandwidth 
(especially the subscriber line bandwidth) of the 
Internet 5 (public network) . the transcode of the 
decrypted AV data. i.e. tne conversion of the coding 
scheme and the compression bandwidth or the decrypted 

15 AV data, may be carried out inside the DTCP bridge 
processing unit 21 in the outside DTCP bridge 4. For 
example, in the case where the home network 3 is the 
Ethernet having a transmission power of i oo Mbps and 
the subscriber line of the public network (Internet 5) 

20 is the ADSL having a transmission power of 6 Mbps. the 
AV data are transmitted (after the encryption) in a 
form of MPEG2 video of over 25 Mbps on the home network 
3 f a conversion into a different coding scheme such as 
MPEG4 of about 1 Mbps or a compression bandwidth of 

25 MPEG2 of about 2 Mbps is made inside the outside DTCP 
bridge 4 (after the decryption) , and the AV data are 
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transmitted to the Internet 5 (after the re- 
encryption) . 

It is also possible to carry out the AV data 
transmission protocol conversion Inside the DTCP 
5 processing unit 14, as in the case where the AV data 

transmission protocol between the transmission device 2 
and the outside DTCP bridge 4 is RTP CRealtime 
Transport Protocol) and the AV data transmission 
protocol between the outside DTCP bridge 4 and the 
10 reception device 6 is HTTP (HyperText Transfer 
Protocol) . 

As described, in this first embodiment, the 
outside device registration table 25 is provided in the 
outside DTCP bridge 4 Inside the user's home 1, and tne 

15 contents transmission from inside the user's home 1 is 
permitted only to the reception device 6 that is 
registered in this table in advance, so that it is 
possible to prevent the illegal copy or the illegal 
acquisition of the contents that require the copyright 

20 protection, while offering an opportunity to utilize 
the contents even outside the home to the legitimate 
user, so that the convenience of the user can be 
improved. 

Also, by providing the user authentication 
25 registration table 26 in the outside DTCP bridge 4. it 
is possible to transmit the contents only to the 
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outside reception device 6 that has passed the user 
authentication, so that it is possible to reinforce the 
copyright protection . 

Moreover, even if the AV data transmission 
5 protocols used inside the user's home 1 and outside the 
home or the attributes of the connected networks are 
different, this difference can be absorbed by the 
outside DTCP bridge 4 so that it is possible to 
transmit and receive the contents without much 
10 limitation on types of the transmission device 2 and 
the reception device 6. 

Referring now to Fig. 8 to Fig. 10, the second 
embodiment of the communication scheme according to the 
15 present invention will be described in detail. 

The first embodiment is directed to an exemplary 
case where the home router is incorporated in the 
outside DTCP bridge 4, but it is also possible to 
provide the home router separately from the outside 
20 DTCP bridge. 

Fig. 8 shows an overall configuration of a 
communication system according to the second embodiment 
of the present invention, and Fig. 9 shows an internal 
configuration of the outside DTCP bridge 4. In Fig. 8 
25 and Fig. 9, the elements identical to those shown in 
Fig. 1 and Fig. 2 are given the same reference 
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numerals, and the difference will be mainly described 
in the following. 

As shown in Fig. 8. a home router 7 is provided 
separately from the outside DTCP bridge 4a inside the 
5 user's home 1. and a home router and firewall setting 
unit 17 for making various setting witn respect to the 
home router 7 is provided inside the outside DTCP 
bridge 4a. The rest of the configuration is the same as 
in the first embodiment, 

10 The following three methods are available as a 

method for making an access from the outside reception 
device 6 to the outside DTCP bridge 4a- (1) A NAT 
(Network Address Translation) function is provided 
Inside the home router 7, such that the reception 

15 device B can make the access to the outside DTCP bridge 
4a by accessing a specific port of the Home router 7. 
(2) The outside DTCP bridge 4a nas a globally unique IP 
address, and there is a "hole" for a specific port in 
the home router 7, such that it is possible to make a 

20 direct access from the reception device 6 to the 

outside DTCP bridge 4a. (3) It is also possible to 
combine the above described (1) and (2). 

Xn the case of (3). as shown in Fig. 10, the 
outside DTCP bridge 4a makes an HTTP port releasing 

25 request to the home router 7, by using UPnP (Universal 
Plug and Play, see "ht tp : //www . upnp . org" . for example) 
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(step S«D- Upon receiving this request, the home 
router 7 makes the setting: such that the HTTP port for 
the outside DTCP bridge 4a can be accessed from the 
Internet 5 (step S62J . Then, the home router 7 
5 transmits an HTTP port releasing: complete notice to the 
outside DTCP bridge 4a (step S63). 

Next, the outside DTCP bridge 4a makes a DTCP port 
releasing request to the home router 7 (step S64) . Upon 
receiving this request, the home router 7 makes the 
10 setting such that the DTCP port for the outside DTCP 
bridge 4a can be accessed from the Internet 5 (step 
S65). Then, the home router 7 transmits a DTCP port 
releasing complete notice to the outside DTCP bridge 4a 
(step S66) , 

15 In the case of the above described (l), a specific- 

port number (a port number of TCP or UDP to be used for 
the DTCP authentication and key exchange, the AV data 
transmission and HTTP) is notified from the outside 
DTCP bridge 4a to the home router 7. and the setting Is 

20 made such that a packet arrived to this port number 
will be transmitted to the outside DTCP bridge 4a. 

Also, In the case of (2), the fact that the 
outside DTCP bridge 4a itself has a global IP address 
is notified from the outside DTCP bridge 4a to the home 

25 router 7, and the setting Is made such that the packet 
destined to the outside DTCP bridge 4a can be correctly 
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routed . 

The processing otner than those described above. 
I.e. the DTCP authentication and key exchange among tnc 
transmission device 2, the outside DTCP bridge 4a and 
5 the reception device 6, the encrypted AV data transfer, 
and the DTCP bridging in the outside DTCP bridge 4a are 
the same as in the first embodiment, so that their 
description will be omitted here. 

As described, according to the second embodiment. 

10 the home router 7 is provided separately from the 
outside DTCP bridge 4a , so that the communication 
system of this embodiment can be constructed from even 
the communication system which already has the home 
router 7, by utilizing that home router 7, and 

15 therefore the increase of the facility cost can be 
suppressed. 

The first and second embodiments described above 
are directed to an exemplary case of transmitting 
information from the user's home 1 to the outside, but 

20 conversely it is also possible to transmit the contents 
from the outside device to the user's home X, In the 
case of transmitting the contents from the outside to 
tne user's home 1, onjy the outside device that is 
registered in advance in the outside device 

25 registration table 25 inside the outside DTCP bridge 4 
can be permitted to transmit the contents to the user's 
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home 1. so as to realize the copyright protection of 
the contents , 

The outside DTCP bridge 4 described in the above 
embodiments may be realized in a form of either 
5 hardware or software. In the case of software 

configuration, a program for realizing functions of the 
outside DTCP bridge 4 is stored in a recording medium 
such as floppy disk or CD-ROM, which can be read out 
from there and executed by a computer. The recording 
10 medium is not necessarily limited to a portable one 

such as a magnetic disk or an optical disk, and can be 
a fixed one such as a hard disk devtce or a memory 
device . 

It is also possible to distribute a program for 
15 realizing functions of the outside DTCP bridge 4 

through communication channels (including those of the 
radio communications ) of the Internet or the like. In 
addition, this program may be distributed in an 
encrypted, modulated or compressed state, through the 
20 wired channels of the Internet or the like or the radio 
channels, or by storing it In a recording medium. 

As described above, according to the present 
Invention, If the outside communication aevice is not 
registered, the communication between the inside 
25 network and the outside network is not permitted, so 

that the illegal copying or the illegal acquisition of 
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Information can be prevented surely. Also, If the 
outside device is registered and the authentication and 
key exchange succeeds* the communication between the 
inside network and the outside network is permitted, so 
5 that the information maintained inside the home can be 
utilized by the legitimate user outside the home, and 
therefore the convenience of the user can be improved. 

It is also to be noted that, besides those already 
mentioned above, many modifications and variations of 
10 the above embodiments may be made without departing 

from the novel and advantageous features of the present 
invention. Accordingly, all such modifications and 
variations are intended to be included within the scope 
of the appended claims. 
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